Automatically make user local administrator on their computer through GPO?

In our AD 2003 domain each user gets local admin permissions on their computer. Everyone else can login with their domain account as normal user.

Right now this means going to the desktop and manually adding the user as a local administrator.

Is there any way to automate this process through logon scripts or GPOs? I have found ways to use a gpo to make everyone who logs in to a computer a local admin, but really only want to give it to the primary user (or in some cases users) of the computer.

I've also seen methods that required adding a group for each computer...but really dont want to clutter AD like that.

I do have a list mapping each user to each computer name. If it matters the desktops are a mix of xp and win7.


I would hope not. That is not a very secure thing to do. I would encourage users to use a separate account for activities that require elevated permissions. We use a local account, but this could also be a domain account that has been added to the local Administrators group.